A Study on Information Security Departmentalization Model

Hyunsik Kang, Jungduk Kim


Information security organization has normally been organized under the IT department. However, as the importance of information security has gradually increased, the way of information security organized for enterprise security management has become a noteworthy issue. The need for separation of Information security organization from IT department is growing, such as restriction on the concurrent positions in CIO and CISO. Nowadays there are many studies about Information security organization while relatively there has been minimal research regarding a departmentalization. For these reasons this study proposes a Information Security Departmentalization Model which is based on business risk and reliance on the IT for effectively organizing Information security organization, using Contingency theory. In addition, this study classified the position of Information security organization into Planning & Coordination, Internal Control, Management and IT and analyze the strengths and weaknesses of each case.

Full Text:



BoanNews, “The CISO should manage Security Organization,” 2014.

Oh, S. H., “Organization Theory,” Pakyoungsa, 2011.

Bob, B., “Information Security is Information Risk Management,” The 2001 workshop on New security paradigms, pp. 97-104, 2001.

Bruns, W. J., “Budgetary Control and Organization Structure,” Journal of Accounting Research, Vol. 13, No. 2, pp. 177-203, 1975.

COSO, “Enterprise Risk Management: Integrated Framework: Executive Summary,” 2004.

Dr. Gerald, K., “Establishing an Information Systems Security Organization (ISSO),” Computers and Security, Vol. 17, No. 7, pp. 600-612, 1998.

Evan Wheeler, “Organizational Stricture What Works,” 2011.

Forrester, “Security Organization 2.0: Building a Robust Security Organization,” 2010.

Gartner, “Determining Whether the CISO Should Report Outside of IT,” 2014.

Gartner, “Difference between governance, management, operation,” 2011.

IBM, “Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security,” 2009.

ISO/IEC, ISO/IEX 27000: Information security management systems: Overview and vocabulary, 2013.

Jay, R. Galbraith, Designing Organizations, Pfeiffer, 2001.

Kang, M. A., Son, J. Y., and Kim, H. J., “A Study on applicability of Mixed-methodology,” “Korean Public Administration Review,” Vol. 41, No. 4, pp. 415-437. 2007.

Pennings, J. M., “Structural contingency theory: A reappraisal,” Research In Organizational Behavior, Vol. 14, pp. 267-309, 1992.

Richard, H. H., “Intraorganizational Structural Variation: Application of the Bureaucratic Model,” Sage Publications, Inc., Vol. 7, No. 3, pp. 295-308, 1962.

Richard, L., Organization Theory and Design, Cengage Learning, 2012.

Stephen, P., Robbins, Organizational Behavior, Prentice Hall, 2014.

Yoo, J. H., “Comparison of Information Security Controls by Leadership of Top Management,” The Journal of Society for e-Business Studies, Vol. 19, No. 1, pp. 63-78, 2014.


  • There are currently no refbacks.